Category Archives: Identity 2.0

Zach Martin, editor of CR80 News recently published an article about the identity and age verification issues we are facing in social networks.You definitely should check it out but in case you don’t have time here are some important highlights:

When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.

It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.

The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

The article goes on to describe some social networks and their use of identity verification including one of our clients FunkySexyCool and their use of our system.It also discusses the privacy concerns related to age verification of minors and provides a possible solution the Liberty Alliance is discussing essentially related to ID 2.0

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to atrusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

The next task force meeting will be later this month and I’m looking forward to seeing how the conversation progresses.I firmly believe we can find several ways to combat the issues at hand including both an educational approach and technological approach.

On another note, I’m off to the RSA Conference next week. IDology has a booth this year so if you are in San Fran, stop by and see us.

What a month.I’ve been back from DIDW for (almost) three weeks and I still haven’t had a chance to blog about the show (or anything else for that matter).

Overall I thought the show was good.I was very pleased to see that there are a lot of smart people at smart companies focused on the issues of identity and working together to take steps toward a solution.Granted Id 2.0 has some hurdles still to overcome (like finding the right economic model for everyone!) but it is good to see that progress is being made because the identity issues we are facing are not going to just go away.

It was nice to finally put a face with some of the names in the identity space too.I’ve added a new name to my suggested links –Doc Searls – who was one of the keynote speakers the first day and very good (both in content and in style).

Since I’ve been back, I’ve been buried with work so I’m keeping this blog post short.I hope to post again soon.

Digital ID World (DIDW) is next week in San Francisco and I’m really anxious to attend since I was unable to get there last year (gasp!).Different from the RSA show which is focused on security (with identity being a subset), this conference is completely centered on everything identity – from Identity Management (IdM) to Authentication to identity verification (IdV) to ID 2.0.With so much happening in identity these days, I’m looking forward to catching up with some of the best minds in the business to see and hear about all the progress.

First things first – if you want to see our identity proofing technology at work, visit the Symantec booth # 207.Like at RSA, we are again helping to power their Identity Service demonstration by incorporating our knowledge-based authentication process within their demo to show how Identity Providers are establishing trusted identities online.However, different from what was shown at RSA, this demo is more focused on the practical application of the developing identity 2.0 framework and what happens after a trusted identity has been established.Meaning, what is possible for consumers to do with their identity and how to share specific components with a Relying Party (business).Specifically the demo will focus on how to use Cardspace and Open ID technology through Symantec’s Identity Service to interact and conduct business with one of our wine merchant clients.In other words, how identity silos can be broken down.

Along the same ID 2.0 practical lines, I’m really looking forward to seeing and talking with Ping Identity who is partnering up with ACI Worldwide, the world leader in retail payments, to show how:

“Information Cards has applications beyond pure authentication. For example, Information Cards could be excellent for supplying payment data to an e-commerce merchant during a purchase.”

I’d say both these practical use demonstrations are starting to show how much closer we are to enabling Identity 2.0.

A few posts back I mentioned our partner Identity Rehab…well they’ve changed their name and are now called ID Watchdog.Check out today’s story in USA Today by Byron Acohido and Jon Swartz which features a scary case of identity theft and just how complicated it can be when your data is compromised and your identity is stolen.

The keynote speaker was Chris Anderson, the editor of Wired Magazine and author of “The Long Tail.”A few comments in his speech struck me.First is the concept of not limiting choice, but measuring it.To me, this is what Identity 2.0 is all about for businesses– it’s not limiting the choice consumers have but rather measuring (and adapting to) what consumers are comfortable and willing to provide about themselves, given the activity being conducted.Also interesting were the “new scarcities” he defines for the new economy which are attention and reputation, where the past scarcities related to manufacturing and distribution. The currency of these new scarcities is traffic (attention) and links and page ranks (reputation)…of course, most anyone in marketing already knows the value of these scarcities so I’m not sure they are necessarily “new,” just a lot more important.

Admittedly, I haven’t read the book…yet. but I now have a copy which was free in exchange for turning in my name badge. It was the cherry on top to sum up the point of Chris’s whole speech — which discussed Carver Mead‘ s counterintuitive 1980 call to “waste transistors.” In this case Chris is “wasting books,” to create abundance, gain more attention and build his reputation.

So sunny San Fran turned out to be not so sunny this week.But the outlook for identity is definitely very bright!

There were definitely some significant events at the show. First, Symantec’s announcementat DEMO the week before to provide an Identity Service and their demonstration (with our technology supporting it I might add) at RSA definitely made the Symantec booth a place to visit. Symantec’s approach to being an identity provider is fairly comprehensive in terms of helping consumers and businesses tackle the identity problem.And they certainly have the distribution to get consumers behind it approaching the much debated chicken and egg scenario from the analyst community.

The biggest buzz of course was from Microsoft’s announcement to support OpenID.There is much being written about this announcement and the significance it has for Identity 2.0.This definitely indicates that the collaboration of technologies is being embraced by all to create a more open management system for public identities. If you want to read more about this announcement check out this article from the Seattle Post Intelligencer which explains the significance in great non-technical terms for any non-techie readers. You should also check out Kim Cameron’s blog for a more behind the scenes view from Microsoft and technical discussions.

Perhaps one of the most significant things to me was the General Session Panel Discussion on “Pandora’s Box:Youth on the Internet”.Clearly with this high profile focus, the security industry is starting to see the importance age plays in our online world and how we need to provide better ways to protect our children.I think anyone with kids gets this quickly but impressing on the huge dangers the Internet presents to children to those without kids is still very much needed based on a few personal discussions I had at the event.

No matter how good a parent is, the danger is still present.In fact, before the panel discussion began, we learned that 70% of kids ages 10-17 have received sexual solicitation over the Internet and only 27% have told a parent or guardian about it.There were other scary things discussed which you can read about here in the recap article from CNET.But one thing I was a bit disappointed about is the lack of discussion on age verification in social networks.However, I was very encouraged by a comment from Facebook’s Chris Kelly who referred to the fact that we need to develop technology solutions that help provide the same protection standards online as in our bricks and mortar world.I couldn’t have said it better myself.

My last post has sparked more interest in knowledge verification and how it works exactly.In response to Kim Cameron’s request in this blog post

“It would help to understand the concepts better if John would give us some examples of how this works in practice. What kinds of questions are asked, and how does IDology know the answers?”

I will address how this works in practice from two different angles- a consumer point of view and also a business point of view – because both are important in how knowledge verification helps protect consumer privacy and promote the responsible use of data by businesses (which addresses a comment from Adam of Emergent Chaos posted in Kim’s blog.)

For the simplicity of these examples let’s look at this in relation to an e-commerce transaction where we are buying something on the Internet over $250.First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented.Once the business receives the information, in the interest of controlling fraud and completing the transaction as quickly as possible (avoiding a manual review of the transaction by the business), it uses an automatic system to verify that the personal information submitted is linked to a real person and that I am indeed that person.Enter IDology’s knowledge-based authentication (KBA) which scours (without exposing) billions of public data records to develop on-the-fly intelligent multiple choice questions for the person to answer. Our clients vary in their delivery of KBA, some reward their customer with expedited shipping for going through the process, others consider it a further extension of the credit card approval process which during the process various data elements associated with the credit card will be validated such as address verification along with the credit approval.

The key is for a business to use a KBA system that bases its questions on non-credit data and reaches back into your public records history so that the answers are not easily guessed or blatantly obvious.Typically, consumers find credit based questions (what was the amount of your last mortgage payment, bank deposit, etc) intrusive and difficult to answer, and these type of answers can be forged by stealing someone’s credit report or accessed with compromised consumer data.Without giving away too much of our secret sauce, our questions relate to items such as former addresses (from as far back as college), people you know, vehicle information and anything else that can be determined confidentally while not exposing data from existing public data sources.

Once the system processes the results (which is all real-time processing), it simply shares how many questions were answered right or wrong so that the business can determine how to handle the transaction further.The answers are not given within the transaction processing (protecting the consumer and the business from employees misusing data) and good KBA systems have lots of different types of questions to ask, so that the same questions are not always presented and one question doesn’t give away the answer to another.

So you see, this is much more than performing shared authentication based on your dog’s name or favorite sport’s team. And KBA is in the marketplace today working well for both businesses and consumers. In fact, our client’s get comments from their customers thanking them for taking the steps to protect their identities through this process. In other words, this can stop the bad guy’s from committing ID theft.

At the end of the day, the consumer, by completing this ecommerce transaction, is establishing a single pointed trusted identity with that business. The next extension is how the consumer can utilize this verification process to validate his/her identity to complete other economic transactions or have an established verified identity to make posts to a blog or enter into a conversation in a social network where participants have agreed to be verified to establish a trusted network or may be concerned with the age of someone in their verified network. To us, KBA can be an important part of establishing and maintaining a trusted identity.

I hope this provides more clarity for Kim on how KBA works and gives a better understanding on the types of questions presented.While I think I addressed Adam’s first comment related to consumer consent, I still need to address:

“Second, the information that such companies can gather are probably already being gathered by Choicepoint, Axciom, Google, and others. So the assertions that ‘it’s cheap for us, and expensive for the attackers’ are hard to accept as credible.

Third, if truth and your database don’t agree, then we’re forced to have a reconciliation process, in which I, or the id thief, convince the company to change its answers. How does that process work?”

There are several different verification solutions available today including some from vendors who are also in the business of gathering, buying and selling data. That is not our (IDology’s) business.We access public data records during a transaction real time to assist with completing the transaction and make an independent observation about our findings. We don’t aggregate, distribute or otherwise reuse data. In other words, we provide a real-time solution to assist with establishing trusted identities.

So what happens if KBA is unable to verify you? A business would handle the exception transaction as they do now – probably asking for us to contact their call center, which may or may not be something I’m willing to do as a consumer.

So, hopefully this (very long but I wanted to be thorough) answer helps better explain how KBA works…thoughts?